Network access issue in Home Network

January 3, 2008

Hello, I would appreciate any help on the following very weird issue:

- I have 2 computers (one desktop and one laptop) in my home network which

are named “desktop” and “laptop”, and belong to the same workgroup MSHOME.

- The Desktop is running Windows MCE SP 2 and the laptop Windows XP Pro SP 2.

- I have activated file and printer sharing on the laptop and try to access

a share from the desktop. I don’t use “simple” file sharing but have

configured the share permissions to allow full access to the share by a user

with administrator rights that exists in the laptop, let’s say “userA”

- I have also activated NetBios on both PCs

- I open a window on the desktop and and type \\laptop

- I get the network authentication dialog of Windows XP and put the username

and password of the user on the laptop to whom I have allowed access. The

system doesn’t let me in, and instead the authentication dialog appears

again, with the username filled with laptop\userA and the password filled

with bullets.

- The most weird thing is that this used to work perfectly some time ago. It

stopped working when after 5 unsuccessful log on attempts the account was

locked according to the security policies on the laptop.

I have tried various things to solve this problem but nothing works. I have

managed to disable the network authentication in total and directly access

the shares on the laptop, but this is not what I want. I don’t want anyone in

my local network accessing my laptop.

I am attaching below the exported values from the “user rights assignment”

and “security options” sections of the local security policies management

console.

Thank you very much in advance

user rights assignment

---------------------------

Policy Security Setting

Access this computer from the network Users,Administrators

Act as part of the operating system

Add workstations to domain

Adjust memory quotas for a process LOCAL SERVICE,NETWORK

SERVICE,Administrators

Allow logon through Terminal Services Administrators,Remote Desktop Users

Back up files and directories Administrators,Backup Operators

Bypass traverse checking Administrators,Users,Power Users,Backup Operators

Change the system time Administrators,Power Users

Create a pagefile Administrators

Create a token object

Create global objects Administrators,INTERACTIVE,SERVICE

Create permanent shared objects

Debug programs Administrators

Deny access to this computer from the network SUPPORT_388945a0

Deny logon as a batch job

Deny logon as a service

Deny logon locally

Deny logon through Terminal Services ASPNET

Enable computer and user accounts to be trusted for delegation

Force shutdown from a remote system Administrators

Generate security audits LOCAL SERVICE,NETWORK SERVICE

Impersonate a client after authentication Users,SERVICE,ASPNET,Administrators

Increase scheduling priority Administrators

Load and unload device drivers Administrators

Lock pages in memory

Log on as a batch job SUPPORT_388945a0,ASPNET

Log on as a service NETWORK SERVICE,ASPNET

Log on locally Backup,Administrators,Users,Power Users,Backup Operators

Manage auditing and security log Administrators

Modify firmware environment values Administrators

Perform volume maintenance tasks Administrators

Profile single process Administrators,Power Users

Profile system performance Administrators

Remove computer from docking station Administrators,Users,Power Users

Replace a process level token LOCAL SERVICE,NETWORK SERVICE

Restore files and directories Administrators,Backup Operators

Shut down the system Administrators,Users,Power Users,Backup Operators

Synchronize directory service data

Take ownership of files or other objects Administrators

security options

-------------------

Policy Security Setting

Accounts: Administrator account status Enabled

Accounts: Guest account status Enabled

Accounts: Limit local account use of blank passwords to console logon

only Enabled

Accounts: Rename administrator account ACAdmin

Accounts: Rename guest account Backup

Audit: Audit the access of global system objects Disabled

Audit: Audit the use of Backup and Restore privilege Disabled

Audit: Shut down system immediately if unable to log security audits Disabled

DCOM: Machine Access Restrictions in Security Descriptor Definition Language

(SDDL) syntax Not defined

DCOM: Machine Launch Restrictions in Security Descriptor Definition Language

(SDDL) syntax Not defined

Devices: Allow undock without having to log on Enabled

Devices: Allowed to format and eject removable media Administrators

Devices: Prevent users from installing printer drivers Disabled

Devices: Restrict CD-ROM access to locally logged-on user only Disabled

Devices: Restrict floppy access to locally logged-on user only Disabled

Devices: Unsigned driver installation behavior Warn but allow installation

Domain controller: Allow server operators to schedule tasks Not defined

Domain controller: LDAP server signing requirements Not defined

Domain controller: Refuse machine account password changes Not defined

Domain member: Digitally encrypt or sign secure channel data (always) Enabled

Domain member: Digitally encrypt secure channel data (when possible) Enabled

Domain member: Digitally sign secure channel data (when possible) Enabled

Domain member: Disable machine account password changes Disabled

Domain member: Maximum machine account password age 30 days

Domain member: Require strong (Windows 2000 or later) session key Disabled

Interactive logon: Do not display last user name Disabled

Interactive logon: Do not require CTRL+ALT+DEL Disabled

Interactive logon: Message text for users attempting to log on

Interactive logon: Message title for users attempting to log on Not defined

Interactive logon: Number of previous logons to cache (in case domain

controller is not available) 10 logons

Interactive logon: Prompt user to change password before expiration 14 days

Interactive logon: Require Domain Controller authentication to unlock

workstation Disabled

Interactive logon: Require smart card Not defined

Interactive logon: Smart card removal behavior No Action

Microsoft network client: Digitally sign communications (always) Disabled

Microsoft network client: Digitally sign communications (if server

agrees) Enabled

Microsoft network client: Send unencrypted password to third-party SMB

servers Disabled

Microsoft network server: Amount of idle time required before suspending

session 15 minutes

Microsoft network server: Digitally sign communications (always) Disabled

Microsoft network server: Digitally sign communications (if client

agrees) Disabled

Microsoft network server: Disconnect clients when logon hours expire Enabled

Network access: Allow anonymous SID/Name translation Disabled

Network access: Do not allow anonymous enumeration of SAM accounts Enabled

Network access: Do not allow anonymous enumeration of SAM accounts and

shares Disabled

Network access: Do not allow storage of credentials or .NET Passports for

network authentication Disabled

Network access: Let Everyone permissions apply to anonymous users Disabled

Network access: Named Pipes that can be accessed

anonymously COMNAP,COMNODE,SQL\QUERY,SPOOLSS,LLSRPC,browser

Network access: Remotely accessible registry

paths System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Control\Server

Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP

Server,Software\Microsoft\Windows

NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal

Server,System\CurrentControlSet\Control\Terminal

Server\UserConfig,System\CurrentControlSet\Control\Terminal

Server\DefaultUserConfiguration

Network access: Shares that can be accessed anonymously COMCFG,DFS$

Network access: Sharing and security model for local accounts Classic -

local users authenticate as themselves

Network security: Do not store LAN Manager hash value on next password

change Enabled

Network security: Force logoff when logon hours expire Disabled

Network security: LAN Manager authentication level Send NTLMv2 response

only\refuse LM & NTLM

Network security: LDAP client signing requirements Negotiate signing

Network security: Minimum session security for NTLM SSP based (including

secure RPC) clients Require NTLMv2 session security

Network security: Minimum session security for NTLM SSP based (including

secure RPC) servers Require NTLMv2 session security

Recovery console: Allow automatic administrative logon Disabled

Recovery console: Allow floppy copy and access to all drives and all

folders Enabled

Shutdown: Allow system to be shut down without having to log on Enabled

Shutdown: Clear virtual memory pagefile Disabled

System cryptography: Use FIPS compliant algorithms for encryption, hashing,

and signing Disabled

System objects: Default owner for objects created by members of the

Administrators group Object creator

System objects: Require case insensitivity for non-Windows subsystems Enabled

System objects: Strengthen default permissions of internal system objects

(e.g. Symbolic Links) Enabled

January 3, 2008

Re: Network access issue in Home Network

Hi Panos,

Can't help you there, but to point you to Network Magic at

http://www.networkmagic.com and download the free version or Trial version

for help with your issue.

Have you activated File and Printer Sharing on both computers? Have you

allowed Full Access going through your Firewalls? Have you trusted your Home

Network in your Firewall?

--

thecreator

"Panos" <Panos@discussions.microsoft.com> wrote in message

news:9FC4F542-88C3-4E85-ADD5-FD516900ECF9@microsoft.com...

> Hello, I would appreciate any help on the following very weird issue:

>

> - I have 2 computers (one desktop and one laptop) in my home network which

> are named "desktop" and "laptop", and belong to the same workgroup MSHOME.

> - The Desktop is running Windows MCE SP 2 and the laptop Windows XP Pro SP

> 2.

> - I have activated file and printer sharing on the laptop and try to

> access

> a share from the desktop. I don't use "simple" file sharing but have

> configured the share permissions to allow full access to the share by a

> user

> with administrator rights that exists in the laptop, let's say "userA"

> - I have also activated NetBios on both PCs

> - I open a window on the desktop and and type \\laptop

> - I get the network authentication dialog of Windows XP and put the

> username

> and password of the user on the laptop to whom I have allowed access. The

> system doesn't let me in, and instead the authentication dialog appears

> again, with the username filled with laptop\userA and the password filled

> with bullets.

> - The most weird thing is that this used to work perfectly some time ago.

> It

> stopped working when after 5 unsuccessful log on attempts the account was

> locked according to the security policies on the laptop.

>

> I have tried various things to solve this problem but nothing works. I

> have

> managed to disable the network authentication in total and directly access

> the shares on the laptop, but this is not what I want. I don't want anyone

> in

> my local network accessing my laptop.

>

> I am attaching below the exported values from the "user rights assignment"

> and "security options" sections of the local security policies management

> console.

>

> Thank you very much in advance

>

> user rights assignment

> ---------------------------

> Policy Security Setting

> Access this computer from the network Users,Administrators

> Act as part of the operating system

> Add workstations to domain

> Adjust memory quotas for a process LOCAL SERVICE,NETWORK

> SERVICE,Administrators

> Allow logon through Terminal Services Administrators,Remote Desktop Users

> Back up files and directories Administrators,Backup Operators

> Bypass traverse checking Administrators,Users,Power Users,Backup Operators

> Change the system time Administrators,Power Users

> Create a pagefile Administrators

> Create a token object

> Create global objects Administrators,INTERACTIVE,SERVICE

> Create permanent shared objects

> Debug programs Administrators

> Deny access to this computer from the network SUPPORT_388945a0

> Deny logon as a batch job

> Deny logon as a service

> Deny logon locally

> Deny logon through Terminal Services ASPNET

> Enable computer and user accounts to be trusted for delegation

> Force shutdown from a remote system Administrators

> Generate security audits LOCAL SERVICE,NETWORK SERVICE

> Impersonate a client after authentication

> Users,SERVICE,ASPNET,Administrators

> Increase scheduling priority Administrators

> Load and unload device drivers Administrators

> Lock pages in memory

> Log on as a batch job SUPPORT_388945a0,ASPNET

> Log on as a service NETWORK SERVICE,ASPNET

> Log on locally Backup,Administrators,Users,Power Users,Backup Operators

> Manage auditing and security log Administrators

> Modify firmware environment values Administrators

> Perform volume maintenance tasks Administrators

> Profile single process Administrators,Power Users

> Profile system performance Administrators

> Remove computer from docking station Administrators,Users,Power Users

> Replace a process level token LOCAL SERVICE,NETWORK SERVICE

> Restore files and directories Administrators,Backup Operators

> Shut down the system Administrators,Users,Power Users,Backup Operators

> Synchronize directory service data

> Take ownership of files or other objects Administrators

>

> security options

> -------------------

>

> Policy Security Setting

> Accounts: Administrator account status Enabled

> Accounts: Guest account status Enabled

> Accounts: Limit local account use of blank passwords to console logon

> only Enabled

> Accounts: Rename administrator account ACAdmin

> Accounts: Rename guest account Backup

> Audit: Audit the access of global system objects Disabled

> Audit: Audit the use of Backup and Restore privilege Disabled

> Audit: Shut down system immediately if unable to log security audits

> Disabled

> DCOM: Machine Access Restrictions in Security Descriptor Definition

> Language

> (SDDL) syntax Not defined

> DCOM: Machine Launch Restrictions in Security Descriptor Definition

> Language

> (SDDL) syntax Not defined

> Devices: Allow undock without having to log on Enabled

> Devices: Allowed to format and eject removable media Administrators

> Devices: Prevent users from installing printer drivers Disabled

> Devices: Restrict CD-ROM access to locally logged-on user only Disabled

> Devices: Restrict floppy access to locally logged-on user only Disabled

> Devices: Unsigned driver installation behavior Warn but allow installation

> Domain controller: Allow server operators to schedule tasks Not defined

> Domain controller: LDAP server signing requirements Not defined

> Domain controller: Refuse machine account password changes Not defined

> Domain member: Digitally encrypt or sign secure channel data (always)

> Enabled

> Domain member: Digitally encrypt secure channel data (when possible)

> Enabled

> Domain member: Digitally sign secure channel data (when possible) Enabled

> Domain member: Disable machine account password changes Disabled

> Domain member: Maximum machine account password age 30 days

> Domain member: Require strong (Windows 2000 or later) session key Disabled

> Interactive logon: Do not display last user name Disabled

> Interactive logon: Do not require CTRL+ALT+DEL Disabled

> Interactive logon: Message text for users attempting to log on

> Interactive logon: Message title for users attempting to log on Not

> defined

> Interactive logon: Number of previous logons to cache (in case domain

> controller is not available) 10 logons

> Interactive logon: Prompt user to change password before expiration 14

> days

> Interactive logon: Require Domain Controller authentication to unlock

> workstation Disabled

> Interactive logon: Require smart card Not defined

> Interactive logon: Smart card removal behavior No Action

> Microsoft network client: Digitally sign communications (always) Disabled

> Microsoft network client: Digitally sign communications (if server

> agrees) Enabled

> Microsoft network client: Send unencrypted password to third-party SMB

> servers Disabled

> Microsoft network server: Amount of idle time required before suspending

> session 15 minutes

> Microsoft network server: Digitally sign communications (always) Disabled

> Microsoft network server: Digitally sign communications (if client

> agrees) Disabled

> Microsoft network server: Disconnect clients when logon hours expire

> Enabled

> Network access: Allow anonymous SID/Name translation Disabled

> Network access: Do not allow anonymous enumeration of SAM accounts Enabled

> Network access: Do not allow anonymous enumeration of SAM accounts and

> shares Disabled

> Network access: Do not allow storage of credentials or .NET Passports for

> network authentication Disabled

> Network access: Let Everyone permissions apply to anonymous users Disabled

> Network access: Named Pipes that can be accessed

> anonymously COMNAP,COMNODE,SQL\QUERY,SPOOLSS,LLSRPC,browser

> Network access: Remotely accessible registry

> paths

> System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Control\Server

> Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP

> Server,Software\Microsoft\Windows

> NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal

> Server,System\CurrentControlSet\Control\Terminal

> Server\UserConfig,System\CurrentControlSet\Control\Terminal

> Server\DefaultUserConfiguration

> Network access: Shares that can be accessed anonymously COMCFG,DFS$

> Network access: Sharing and security model for local accounts Classic -

> local users authenticate as themselves

> Network security: Do not store LAN Manager hash value on next password

> change Enabled

> Network security: Force logoff when logon hours expire Disabled

> Network security: LAN Manager authentication level Send NTLMv2 response

> only\refuse LM & NTLM

> Network security: LDAP client signing requirements Negotiate signing

> Network security: Minimum session security for NTLM SSP based (including

> secure RPC) clients Require NTLMv2 session security

> Network security: Minimum session security for NTLM SSP based (including

> secure RPC) servers Require NTLMv2 session security

> Recovery console: Allow automatic administrative logon Disabled

> Recovery console: Allow floppy copy and access to all drives and all

> folders Enabled

> Shutdown: Allow system to be shut down without having to log on Enabled

> Shutdown: Clear virtual memory pagefile Disabled

> System cryptography: Use FIPS compliant algorithms for encryption,

> hashing,

> and signing Disabled

> System objects: Default owner for objects created by members of the

> Administrators group Object creator

> System objects: Require case insensitivity for non-Windows subsystems

> Enabled

> System objects: Strengthen default permissions of internal system objects

> (e.g. Symbolic Links) Enabled

>

March 17, 2008

RE: Network access issue in Home Network

Hi,

You can try one more thing & check, it should work. I have faced it earlier.

Ensure that below policy is set for both PCs (desktop & laptop)

Network security: LAN Manager authentication level Send NTLMv2 response

only\refuse LM & NTLM

Let me know whether it works.

"Panos" wrote:

> Hello, I would appreciate any help on the following very weird issue:

>

> - I have 2 computers (one desktop and one laptop) in my home network which

> are named “desktop” and “laptop”, and belong to the same workgroup MSHOME.

> - The Desktop is running Windows MCE SP 2 and the laptop Windows XP Pro SP 2.

> - I have activated file and printer sharing on the laptop and try to access

> a share from the desktop. I don’t use “simple” file sharing but have

> configured the share permissions to allow full access to the share by a user

> with administrator rights that exists in the laptop, let’s say “userA”

> - I have also activated NetBios on both PCs

> - I open a window on the desktop and and type \\laptop

> - I get the network authentication dialog of Windows XP and put the username

> and password of the user on the laptop to whom I have allowed access. The

> system doesn’t let me in, and instead the authentication dialog appears

> again, with the username filled with laptop\userA and the password filled

> with bullets.

> - The most weird thing is that this used to work perfectly some time ago. It

> stopped working when after 5 unsuccessful log on attempts the account was

> locked according to the security policies on the laptop.

>

> I have tried various things to solve this problem but nothing works. I have

> managed to disable the network authentication in total and directly access

> the shares on the laptop, but this is not what I want. I don’t want anyone in

> my local network accessing my laptop.

>

> I am attaching below the exported values from the “user rights assignment”

> and “security options” sections of the local security policies management

> console.

>

> Thank you very much in advance

>

> user rights assignment

> ---------------------------

> Policy Security Setting

> Access this computer from the network Users,Administrators

> Act as part of the operating system

> Add workstations to domain

> Adjust memory quotas for a process LOCAL SERVICE,NETWORK

> SERVICE,Administrators

> Allow logon through Terminal Services Administrators,Remote Desktop Users

> Back up files and directories Administrators,Backup Operators

> Bypass traverse checking Administrators,Users,Power Users,Backup Operators

> Change the system time Administrators,Power Users

> Create a pagefile Administrators

> Create a token object

> Create global objects Administrators,INTERACTIVE,SERVICE

> Create permanent shared objects

> Debug programs Administrators

> Deny access to this computer from the network SUPPORT_388945a0

> Deny logon as a batch job

> Deny logon as a service

> Deny logon locally

> Deny logon through Terminal Services ASPNET

> Enable computer and user accounts to be trusted for delegation

> Force shutdown from a remote system Administrators

> Generate security audits LOCAL SERVICE,NETWORK SERVICE

> Impersonate a client after authentication Users,SERVICE,ASPNET,Administrators

> Increase scheduling priority Administrators

> Load and unload device drivers Administrators

> Lock pages in memory

> Log on as a batch job SUPPORT_388945a0,ASPNET

> Log on as a service NETWORK SERVICE,ASPNET

> Log on locally Backup,Administrators,Users,Power Users,Backup Operators

> Manage auditing and security log Administrators

> Modify firmware environment values Administrators

> Perform volume maintenance tasks Administrators

> Profile single process Administrators,Power Users

> Profile system performance Administrators

> Remove computer from docking station Administrators,Users,Power Users

> Replace a process level token LOCAL SERVICE,NETWORK SERVICE

> Restore files and directories Administrators,Backup Operators

> Shut down the system Administrators,Users,Power Users,Backup Operators

> Synchronize directory service data

> Take ownership of files or other objects Administrators

>

> security options

> -------------------

>

> Policy Security Setting

> Accounts: Administrator account status Enabled

> Accounts: Guest account status Enabled

> Accounts: Limit local account use of blank passwords to console logon

> only Enabled

> Accounts: Rename administrator account ACAdmin

> Accounts: Rename guest account Backup

> Audit: Audit the access of global system objects Disabled

> Audit: Audit the use of Backup and Restore privilege Disabled

> Audit: Shut down system immediately if unable to log security audits Disabled

> DCOM: Machine Access Restrictions in Security Descriptor Definition Language

> (SDDL) syntax Not defined

> DCOM: Machine Launch Restrictions in Security Descriptor Definition Language